Can't seem to get a <script> to run when added to the allowlist?
Closed this issue · 2 comments
I'm trying to allow for a <script> tag to run as it would normally if you were to include it in a HTML file. I know the security concerns associated with this, but there is a specific use case the markdown editor has that requires us to be able to include <script> tags.
I have the following code example:
def render
pipeline = HTMLPipeline.new \
convert_filter: HTMLPipeline::ConvertFilter::MarkdownFilter.new,
sanitization_config: sanitization_config
result = pipeline.call("<script>console.log(1)</script>")
result[:output].html_safe
end
def sanitization_config
config = HTMLPipeline::SanitizationFilter::DEFAULT_CONFIG.deep_dup
config[:elements] << "script"
config
end
Is there something I am missing with the sanitisation_config so the console.log(1) fires correctly in the dev console?
I think I might know what's going on: the MarkdownFilter has its own sanitization process.
Could you let me know if this works?
pipeline = HTMLPipeline.new \
convert_filter: HTMLPipeline::ConvertFilter::MarkdownFilter.new,
sanitization_config: sanitization_config
result = pipeline.call("<script>console.log(1)</script>", context: { markdown: { render: { unsafe: true } } })If this does fix it, short of additional documentation, I'm not sure how best to resolve this. Would one expect the addition of "unsafe" elements in the sanitization to always permit unsafe elements throughout the pipeline? I'm not sure.
waiting to hear back